THM Brooklyn Nine Nine Walkthrough

Welcome to my walkthrough of the Brooklyn Nine Nine box from TryHackMe.com. This is my first writeup, so apologies in advance for any mistakes. I will try to keep things spoiler free whilst also showing as much information as possible. So without further delay, lets begin.


First things first, start both the machine and the Attack Box, this takes a few minutes, so I'm going to grab a brew in the meantime. Hacking doesn't work without caffeine (and a black hoodie of course)!



Ok. so coffee is sorted and box is loaded.
Lets begin with an nmap scan, we're not trying to be stealthy here so I use aggressive mode with a full TCP connect and scan all ports. THM are known to hide things on obscure ports so best to check them all even if it does take a little longer.




Scan results are in! We have port 21 running an FTP server, anonymous login is allowed and looks like we have an interesting file called "note_to_****.txt" . We are also running SSH on port 22 and HTTP on port 80.

I'm going to set gobuster running on the webserver, whilst I go and grab that file from the FTP server.


Interesting. We now have three possible usernames and the information that one of them has a weak password! This sounds like a job for THC Hydra. Meanwhile, the Gobuster scan found nothing of use, we can come back to this with a different dictionary later if needed.


Next step is to fire up Hydra and pass it the username we found that has a weak password. I'm going to use rockyou.txt, just for completeness, if it is weak enough it should find it quickly enough!


Ok, so that was crazy fast. We now have a valid username and password for SSH. Let's go ahead and log in, and start digging for files. Nothing in the user's home directory, but if we look in /home then we can see the usernames we gathered from before. Checking them all, one reveals the user flag.



Success! All we need now is root. Let's try some basic privilege escalation with sudo.


Ok, so we can run "less" as sudo with out current user. Checking GTFOBins, we can see that less can be used to run a shell as root. Perfect!



Just like that, we have our root shell and therefore flag.

Thanks to FSociety2006 for a great beginners box, and I hope you found the walkthrough helpful.

Comments

Post a Comment

Popular posts from this blog

THM RootMe Walkthrough

Image
Welcome back geeks (a term of endearment I assure you). Today we are going to do a quick guided walkthrough of the RootMe box by  TryHackMe . Without further ado, start your engines and get ready for the nmap scan. This answers the first two questions: Scan the machine, how many ports are open? What version of Apache is running? It then tells us to perform a directory list scan on the box, and find the hidden directory. Easy enough! Browsing to our secret directory, we find a landing page with what looks to be an upload form. Im going to go straight for gold and see if it will take a php reverse shell. The one we are going to be using is the PentestMonkey PHP-Reverse-Shell. Make sure to edit the shell to contain your IP and listening port before uploading. Nope. Not sure what language that is, but I'm pretty certain it translates as "Nice try, not going to happen". I'm guessing it's a file extension filter, we can try and bypass that by changing our shell to php5.
Read more

Defending against physical intrusion attacks - The under door tool.

Image
Good morning all, how are we doing today? Watch anything good on Netflix recently? Many plans for the bank holiday weekend? Did you remember to deadbolt the office before you left yesterday? Wait… what? Yesterday the postman came. And this is what he brought me: What the hell is that?   Well it’s an under door tool (UDT) of course. A thin piece of flexible metal attached to a string, that can be folded away and neatly concealed in a rucksack, belt, or there are even versions that can be dismantled and stored in a pocket  (great video by the notsocivilengineer - showing a homemade collapsable UDT). So what does it do? And why should I care about your stupid bendy metal rubbish? This tool is designed to bypass the type of doors that are locked from the outside, but open with just an operation of the handle from the inside. They are usually accompanied by an RFID entry system or a code. This means you need to have the authentication to get in, but anyone can get out. And herein lies the f
Read more